The Ryuk ransomware brought the Havre Public Schools' computer system down last week. After days of wading through the problem, the system was restored thanks to external backups and help from tech experts. District leaders said there is no indication that student or employee information was compromised. Shown above is the district's Robins Administration Building, which is used as an operational hub. By Friday, this was the only building in which employees still hadn't turned its computers on. (Herald file photo)

Suspected Russian-Linked Ransomware Cripples Havre Public School Computer System

By Paul Dragu on February 9, 2020

The Havre Public Schools superintendent learned via a phone call early Tuesday that ransomeware had hacked and “crippled” the school district’s computer system.

“We’ve got something bad,” said the voice on the other line — a district staff member — at 6:30 a.m.

Despite the major scare, it would eventually be concluded the hackers did not gain access to student and employee information.

As it became clear early on they were dealing with something very serious, district leaders contacted cyber-tech experts, insurance companies and the software support teams responsible for maintaining the employee and student information databases, as part of the overall effort in handling the massive problem. Carlson said they also notified the FBI.

Carlson said school officials, on expert advice, disconnected “everything with a blue cord” — including every computer, telephone, and printer in every district building.

Although the schools still functioned and doors still opened, Carlson said during the crisis, district staff and administration defaulted to using personal cell phones, personal emails and hot-spotting their laptops.

Ransomware is malicious software — also known as malware — that denies access to a computer system or data until the victim pays a ransom. It usually spreads through phishing emails or when someone unknowingly visits an infected website, according to the U.S. Department of Homeland Security.

How much money did the attackers demand?

The long-time superintendent said he didn’t know the precise number. But the amount was so outrageously beyond the district budget that an exact number was irrelevant.

“They’re talking tens of millions of dollars,” Carlson said Friday afternoon, adding that Ryuk wanted the ransom paid in Bitcoins.

Ryuk appeared on the Internet scene in 2018. The malware identifies and encrypts network drives and resources and deletes shadow copies on the end point, or devices such as laptops, tablets, printers, or mobile phones connected to a network. The attackers can disable the “restore” option for users, making it impossible to recover from the attack without external back-ups.

There was no indication the attackers knew anything about their Montana victims.

“We were not a target,” Carlson said. “Everyone is a target.”

Throughout the “stressful week,” Carlson said he learned that Ryuk is most likely connected to Russian organized crime.

The school’s data system was incrementally brought back — and by the end of the week, the district was reset to Feb. 2, the Sunday that kicked off the tumultuous week, Carlson said.

“We’re turning on switches little by little,” he added.

Overall, Carlson said the district permanently lost 20 hard drives and some archival data unrelated to employee and student information, emphasizing a crucial point.

“We have no reason to believe at this time that any student or employee information was compromised,” Carlson said. If that were the case, he added, the public would have to be notified.

Carlson said they don’t know exactly how the malware infected the district website. Chances are district officials will never know. He suspects, however, that the Ryuk ransomware infiltrated the district system through one email and spread to more emails. It marked the first time the district was hit by an attack of this magnitude, Carlson said.

In response to this scare, district leaders have since added some extra tools to help it fend off future attacks. They have implemented end-point detection and response technology, which monitors device and network activity and records the information in a central database for analysis, detection, investigation, reporting, and alerts.

By Friday, all district systems except for the computers in the district’s administration building, the Robins Administration Building, were back up and running.

Carlson still hadn’t turned on his computer. He was still a little leery about doing so.

“I’m scared
when I turn my computer on,” he said.

One thing he’s sure about is a barrage of emails awaits. One of those emails is from The Havre Herald, as we attempted to reach him for days for information about the incident.

Although visibly
relieved, Carlson was reluctant to claim complete victory.

“It’s never over,” he said, implying the potential for future insidious cyber attacks.

The week was stressful, but fortunately, “We 100% had a plan.”

Update Feb. 13: Carlson said the computers at Robins have also been turned on the system is functioning the way it’s supposed to be.